Privacy Policy

Last Updated: November 4th, 2025

This Privacy Policy explains how information about you is collected, used, and disclosed by YMMV LLC when you use our mobile application "daemon" and related services (collectively, the "Services").

We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in some cases, provide you with additional notice through the app or via email.


COLLECTION OF INFORMATION

Information You Provide to Us
daemon is designed with privacy and security as core principles. We collect minimal information from you:

  • If you choose to purchase our premium features, payment information is processed by Apple's App Store and is not stored by us
  • If you contact our support team, we may collect your email address and any information you provide in your communications
  • If you choose to use Dropbox sync, authentication is handled through Dropbox's OAuth system. We do not store your Dropbox credentials

Information Stored on Your Device
daemon stores all your vault data directly on your device in an encrypted format. This includes:

  • Vault Entries: All passwords, secure notes, TOTP seeds, and recovery codes are encrypted using military-grade multi-layer cascading encryption (XChaCha20-Poly1305, AES-256-GCM, and Serpent-256) before storage
  • Authentication Data: Master passwords, PINs, and biometric authentication data (Face ID/Touch ID) are stored securely using Apple's Secure Enclave and Keychain
  • Hardware Key Registrations: If you register a YubiKey or other hardware security key, device-specific credentials are stored locally
  • App Settings: Your security preferences, feature toggles, and configurations
  • Security Metadata: Device authorization information, authentication attempt logs, and security audit trails are stored locally

Information We Collect Automatically
We collect minimal data to help improve the app and ensure security:

  • Device Information: Basic information about your device type, operating system version, and hardware capabilities to optimize app performance and security features
  • Crash Reports: If the app experiences an issue, diagnostic information may be sent to help us fix problems. These reports do not contain any vault data or authentication credentials
  • Security Events: Anonymous security-related events (such as failed authentication attempts) may be logged locally for audit purposes


DROPBOX SYNC AND CLOUD STORAGE

daemon offers optional synchronization through Dropbox:

  • End-to-End Encryption: All vault data is encrypted on your device before being uploaded to Dropbox. We never have access to your unencrypted data
  • Authentication: Dropbox authentication uses OAuth 2.0. We do not store your Dropbox username or password
  • Optional Feature: Sync is entirely optional. You can use daemon without enabling Dropbox sync
  • Data Transmission: All data transmitted to Dropbox is encrypted using our multi-layer encryption system before transmission
  • Your Control: You can disable Dropbox sync at any time and delete synced data from within the app
  • Third-Party Service: Use of Dropbox is subject to Dropbox's privacy policy at https://www.dropbox.com/privacy


SECURITY AND ENCRYPTION

daemon employs military-grade security measures to protect your information:

  • Multi-Layer Cascading Encryption: Your vault data is encrypted using three layers of encryption (XChaCha20-Poly1305, AES-256-GCM, and Serpent-256)
  • Per-Field Encryption: Each field in every entry uses unique encryption keys derived from your master password and entry-specific salts
  • Multi-Factor Authentication: Mandatory biometric authentication (Face ID/Touch ID) with optional hardware key, PIN, and master password layers
  • Post-Quantum Cryptography: Optional support for quantum-resistant encryption algorithms (Kyber KEM and Dilithium signatures)
  • Secure Memory Management: Sensitive data in memory is protected using memory locking (mlock) and secure wiping techniques
  • Anti-Tampering: Built-in jailbreak detection, debugger detection, and intrusion monitoring
  • Panic Mode: Duress detection with decoy vault capabilities for emergency situations
  • Hardware Security: Integration with Apple's Secure Enclave for cryptographic operations and key storage
  • Zero-Knowledge Architecture: We cannot access your vault data. Only you have the keys to decrypt your information

However, no security system is impenetrable, and we cannot guarantee the security of our systems 100%. The security of your vault ultimately depends on the strength of your master password and the security of your devices.



BIOMETRIC DATA

daemon uses biometric authentication (Face ID or Touch ID) as a mandatory security layer:

  • Local Processing Only: All biometric data is processed and stored exclusively on your device using Apple's Secure Enclave. We never have access to your biometric data
  • Apple's Security: Biometric authentication is handled entirely by iOS/macOS security frameworks. We do not collect, store, or transmit biometric information
  • Mandatory Feature: Biometric authentication is required to unlock your vault, providing an additional layer of security beyond your master password
  • Domain State Monitoring: The app monitors for changes to enrolled biometric data to detect unauthorized modifications


HARDWARE SECURITY KEYS

daemon supports YubiKey and other FIDO2-compatible hardware security keys:

  • Optional Feature: Hardware key authentication is entirely optional
  • Local Registration: Hardware key credentials are stored locally on your device
  • No Cloud Storage: We do not store hardware key registration information on our servers
  • Challenge-Response: Authentication uses FIDO2/WebAuthn protocols with certificate chain validation
  • Multi-Device Support: Each authorized device stores its own hardware key credentials


USE OF INFORMATION

We use the minimal information we collect to:

  • Provide, maintain, and improve our Services
  • Process and complete transactions through Apple's App Store
  • Send you technical notices, updates, security alerts, and support messages
  • Respond to your comments and questions and provide customer service
  • Diagnose and fix technical issues
  • Detect, investigate, and prevent security incidents
  • Comply with legal obligations

We do not use your vault data for any purpose, as we cannot access it due to our zero-knowledge architecture.



SHARING OF INFORMATION

We do not sell, trade, or otherwise transfer your information to third parties. We may share information as described below:

  • Service Providers: We may share minimal non-vault information with third-party vendors who perform services on our behalf, such as Apple for payment processing
  • Dropbox (If Enabled): If you enable Dropbox sync, encrypted vault data is transmitted to and stored on Dropbox servers. This data is encrypted before transmission and cannot be decrypted by Dropbox or us
  • Legal Requirements: We may disclose information if required to do so by law or in response to valid requests by public authorities (such as a court order or subpoena)
  • Business Transfers: If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. Your vault data remains encrypted and inaccessible without your authentication credentials
  • With Your Consent: We may share information with third parties when you explicitly consent to such sharing


MULTI-DEVICE AUTHORIZATION

daemon supports secure multi-device access:

  • Device Fingerprinting: Each device generates a unique hardware fingerprint for identification purposes
  • Device Attestation: New devices must be authorized before accessing your vault
  • Local Authorization List: The list of authorized devices is stored in your vault metadata
  • Revocation: You can revoke device authorizations at any time from any authorized device
  • Security Context: Each device maintains its own security context and authentication state


AUDIT LOGS AND SECURITY MONITORING

daemon maintains local audit logs for security purposes:

  • Local Storage Only: All audit logs are stored exclusively on your device
  • Security Events: The app logs authentication attempts, vault operations, and security-related events
  • No Sensitive Data: Audit logs do not contain passwords, encryption keys, or vault content
  • Intrusion Detection: Failed authentication attempts and suspicious activities are logged for your review
  • Your Access: You can review audit logs through the app's security settings


CHILDREN'S PRIVACY

daemon is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information of a child under 13, we will take steps to delete such information from our files as soon as possible.



YOUR CHOICES

Vault Access:
You have complete control over your vault. You can add, edit, or delete entries at any time.

Authentication Methods:
You can configure which authentication layers to use (hardware key, PIN, master password) in addition to the mandatory biometric authentication.

Dropbox Sync:
You can enable or disable Dropbox synchronization at any time and delete synced data.

Security Features:
You can configure security features such as auto-lock timeout, panic mode, geofencing, and post-quantum cryptography through app settings.

Device Authorization:
You can authorize new devices or revoke access from previously authorized devices at any time.

Screenshot Protection:
You can enable or disable screenshot prevention and screen recording protection in settings.

Delete Your Data:
You can delete your entire vault at any time. This action is irreversible. If you have Dropbox sync enabled, you can also delete synced data from Dropbox.



DATA RETENTION

As daemon stores your vault data locally on your device or in your personal Dropbox account (if sync is enabled), data retention is primarily controlled by you. Your data persists until you explicitly delete it. We retain any support communications only as long as necessary to provide customer service or as required by law.



CALIFORNIA PRIVACY RIGHTS

California residents have certain rights regarding their personal information under the California Consumer Privacy Act (CCPA). As daemon uses a zero-knowledge architecture and collects minimal personal information, most CCPA provisions may not apply. However, you have the right to know what information we collect and how we use it, as outlined in this policy.

California residents have the right to:

  • Know what personal information is collected
  • Know whether personal information is sold or disclosed and to whom
  • Access their personal information
  • Request deletion of personal information
  • Opt-out of the sale of personal information (Note: We do not sell personal information)

To exercise these rights, please contact us at the email address provided below.



EUROPEAN PRIVACY RIGHTS (GDPR)

If you are located in the European Economic Area (EEA), you have certain rights under the General Data Protection Regulation (GDPR), including:

  • Right of access to your personal data
  • Right to rectification of inaccurate personal data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time

Our legal basis for processing your information includes: (a) your consent, (b) performance of a contract with you, (c) compliance with legal obligations, and (d) our legitimate interests in providing and improving our Services.

To exercise these rights, please contact us at the email address provided below.



INTERNATIONAL DATA TRANSFERS

Your information, including vault data, is stored locally on your device. If you enable Dropbox sync, your encrypted data may be transferred to and stored on servers located outside your country of residence, depending on Dropbox's server locations. These countries may have data protection laws that differ from those in your country.



CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make changes, we will update the "Last Updated" date at the top of this policy. If we make material changes, we will provide you with notice through the app or via email (if you have provided your email address).



CONTACT US

If you have any questions about this Privacy Policy, our privacy practices, or your rights, please contact us at:

support@basicarcana.com

YMMV LLC